Imagine an environment in which users can upload images to a website by either uploading it from their pc or referring to a remote url.
As part of some security checks I'd like to make sure that the referenced object is indeed an image.
In the case of a remote-url, I of course check the content-type, but this isn't bullet-proof.
I figured I could use ImageMagick to do the task. Perhaps executing the ImageMagick.identify() method and if no error is returned and returned type is either JPG|GIF|,etc. the content is an image. (In a quick check I noticed that TXT files are identified correctly as well, so I have to blacklist these)
Is there any better way in doing this?
You could probably simply load the image via ImageMagick's appropriate function for your language of choice. If the image isn't formatted properly (in terms of internal formatting, not its aesthetic properties, that is), I would expect ImageMagick to refuse to load it and report an error. In PHP, for example, readImage returns false if the image fails to load.
Alternatively, you could read the first few hundred bytes of the file and determine if the expected image file format headers are present; e.g., "GIF89" etc.
These checks may backfire, if your image is in a compressable format (PNG, GIF) and it is constructed in a way similar to a zip bomb https://en.wikipedia.org/wiki/Zip_bomb
Some examples at ftp://ftp.aerasec.de/pub/advisories/decompressionbombs/pictures/ (nothing special about that site, I just googled decompression bombs)
Another related issue is that formats like SVG are in fact XML and some image processing tools are prone to a variant of "billion laughs" attack https://en.wikipedia.org/wiki/Billion_laughs
You should not store the original file. The generally recommended approach is to always re-process the image and convert it to an entirely new file. There have been vulnerabilites exploited inside valid image files (see GIFAR), so checking for this would have been useless.
Never expose your visitors to an image file that you have not written out yourself and for which you did not choose the file name yourself.
Related
I've run into an issue where there are a collection of .dds(direct draw surface) files which I need to be able to display within an electron/react app. From what I know, a .dds file must be converted to a png/jpeg before being able to be rendered in an img tag. This must also be done completely in memory as I don't want to create additional files.
Here is what I've tried.
Preview-DDS: https://github.com/Jam3/preview-dds
DDS-Parser: https://github.com/Jam3/parse-dds
I noticed Preview-DDS has an option to convert .dds to .png yet I had no luck replicating it in memory. This isn't a subject im really knowledgable on so I'm hoping someone can get me pointed in the right direction!
I need to use PDF in a way similar to ZIP/RAR. To hold many images (ancient tibetan buddist literature), ideally 60000. But splitting in 10-100 volumes is OK.
Anything can be used for packing, but for unpacking we need Node.js. Because same PDF file must be served on web. But some users will need to use whole PDF.
So the question is, what node module I can use to read any single arbitrary image from huge PDF? Example would really help.
Every image is a single page. (Or in otherwords every page is single image)
We have been using https://github.com/mirkokiefer/Node-Magick for this....
But the pngs we get out sometimes are fairly low quality..
I wish to digitally sign my image collection which consists of JPG , TIFF , BMP , SWf , Fla files.
My question is how to digitally sign these images? If I sign JPG or Tiff , whether signature will get attached to these files (as it happens in document files like PDF or MS word etc)? If so where it get store in file metadata fields , or remain outside? Can i extract signature data?
Please note I wish to sign these images Individually and do not want to get converted into any other format like PDF. Also I donot wish to sign it using email client.
In general those formats were not designed with signing in mind, so your best option is to create a detached signature and keep it near the file. An alternative is to use wrapping signature but then other software won't be able to display the image until you remove the wrapper.
Storing the signature in metadata can be possible for some formats but what applications would be able to handle this?
I know it has been a long time, but you might want to look into steganography. Metadata can be extracted and removed from files. Steganography will allow you to embed digital signatures(encrypted phrases) in a way that is almost only detectable using statistical analysis.
You can also create a mime container which will contain the original image and a detached signature.
Attached signatures are only useful for specific apps, as they are not standard.
Try answering the posters question folks, and not giving another unneeded and unwanted opinion, it's way to common these days in my humble opinion.
Obviously what the poster asked for is to use a signature to copyright his works, so you need to sign the image, period, And a method to do so.
So let's see... grab Gimp or Photoshop. Get your image and create a new layer with transparent background. write in a signature with your mouse or digital pen in an area near the bottom right edge. Choose merge layers and flatten image. Seems like that would do it.
I'm attempting to port some content from TWiki to MediaWiki and whereas the former seems to allow the uploading of spreadsheets, the latter does not. I'm not interested in displaying / previewing the spreadsheet - just a hyperlink would do fine.
I appreciate that I could store the Excel files 'off-wiki' and externally link to them, but it would be good to keep it all together if at all possible - otherwise we'll have to think about maintaining seperate but logically linked filesystems etc.
Also, I would like to keep it in its original form rather than converting to HTML / JPG etc.
Has anyone hit this problem and if so, how was it solved?
Look in LocalSettings.php. You can then add this line: $wgFileExtensions = array('png', 'gif', 'jpg', 'jpeg', 'svg', 'xls'); (or whichever extensions you want). But be aware that you might want to switch this off after you've done your transfer otherwise your server will quickly become full with files!
See also Manual:$wgFileExtensions
Some files are uploaded with a reported MIME type:
image/x-citrix-pjpeg
They are valid jpeg files and I accept them as such.
I was wondering however: why is the MIME type different?
Is there any difference in the format? or was this mimetype invented by some light bulb at citrix for no apparent reason?
Update:
Ok, I did some more searching and testing on this question, and it turns out they're all lying about MIME-type (never trust any info send by the client, I know).
I've checked a bunch of files with different encodings (created with libjpeg)
Official MIME type for jpeg files: image/jpeg
But some applications (most notably MS Internet Explores but also Yahoo! mail) send jpeg files as image/pjpeg
I thought I knew that pjpeg stood for 'progressive' jpeg. It turns out that progressive/standard encoding has nothing to do with it.
MS Internet explorer send out all jpeg files as pjpeg regardless of the contents of the file.
The same goes for citrix: all jpeg files send from a citrix client are reported as the image/x-citrix-pjpeg MIME type.
The files themselves are untouched (identical before and after upload). So it turns out that difference in MIME type is only an indication the software used to send the file?
Why would people invent a new MIME type if there is no differences to the file contents?
image/x-citrix-pjpeg seems to be the MIME type sent by images which are exported from a Citrix session.
I haven't come across any format differences between them and regular JPEGs - most image conversion utilities will handle them the same as a regular pjpeg, once the appropriate mime-type rule is added.
It's possible that in a Citrix session there is some internal magic done when managing jpegs which led them to create this mime-type, which they leave on the file when it's exported from their systems, but that's only my guess. As I say, I haven't noticed any actual format differences from the occasional files in this format we receive.
The closest i have come to find out what this is, is this thread. Hope it helps.
http://forums.citrix.com/message.jspa?messageID=713174
For some reason, when people are running Internet Explorer via Citrix, it changes the mime type for GIF and JPG files.
JPG: image/x-citrix-pjpeg
GIF: image/x-citrix-gif
Based on my testing, PNG files are not affected. I don't know if this is an Internet Explorer issue or Citrix.
It's to do with a feature of Citrix called SpeedBrowse, which intercepts jpegs and gifs in webpages on the [Citrix] server side, so that it can send them whole via ICA (the Citrix remoting protocol) -- this is more efficient than screen-scraping them. As a previous poster suggested, this is implemented by marking the images with a changed mime type.
IIRC it hooks FindMimeFromData in IE to change the mime type on the fly, but this is being applied to uploaded files as well as downloaded ones - surely a bug.
From what I recall the Progressive JPG format is the one that would allow the image to be shown with progressively higher resolution as the download of the file progressed. I am not entirely aware of the details, but if you remember back in the days of dial up, some files would show blurry, then better and eventually complete as they were downloaded. For this to work the data needs to be sent in a different order than a JPEG would typically be sent.
The actual data, once you view it, is identical it is just sent in a different order. The JPEG encoding itself may very well group pixels differently, I forget.